Differentially private linear queries on histograms

ABSTRACT

The privacy of linear queries on histograms is protected. A database containing private data is queried. Base decomposition is performed to recursively compute an orthonormal basis for the database space. Using correlated (or Gaussian) noise and/or least squares estimation, an answer having differential privacy is generated and provided in response to the query. In some implementations, the differential privacy is ε-differential privacy (pure differential privacy) or is (ε,δ)-differential privacy (i.e., approximate differential privacy). In some implementations, the data in the database may be dense. Such implementations may use correlated noise without using least squares estimation. In other implementations, the data in the database may be sparse. Such implementations may use least squares estimation with or without using correlated noise.

BACKGROUND

In recent years, there has been an abundance of rich and fine-graineddata about individuals in domains such as healthcare, finance, retail,web search, and social networks. It is desirable for data collectors toenable third parties to perform complex data mining applications oversuch data. However, privacy is an obstacle that arises when sharing dataabout individuals with third parties, since the data about eachindividual may contain private and sensitive information.

One solution to the privacy problem is to add noise to the data. Theaddition of the noise may prevent a malicious third party fromdetermining the identity of a user whose personal information is part ofthe data or from establishing with certainty any previously unknownattributes of a given user. However, while such methods are effective inproviding privacy protection, they may overly distort the data, reducingthe value of the data to third parties for data mining applications.

A system is said to provide differential privacy if the presence orabsence of a particular record or value cannot be determined based on anoutput of the system, or can only be determined with a very lowprobability. For example, in the case of medical data, a system may beprovided that outputs answers to queries supplied such as the number ofusers with diabetes. While the output of such a system may be anonymousin that it does not reveal the identity of the patients associated withthe data, a curious user may attempt to make inferences about thepresence or absence of patients by varying the queries made to thesystem and observing the changes in output. For example, a user may havepreexisting knowledge about a rare condition associated with a patientand may infer other information about the patient by restricting queriesto users having the condition. Such a system may not providedifferential privacy because the presence or absence of a patient in themedical data (i.e., a record) may be inferred from the answers returnedto the queries (i.e., output).

Typically, systems provide differential privacy (for protecting theprivacy of user data stored in a database) by introducing some amount oferror or noise to the data or to the results of operations or queriesperformed on the data to hide specific information of any individualuser. For example, noise may be added to each query using a distributionsuch as a Laplacian distribution. At the same time, one would like thenoise to be as small as possible so that the answers are stillmeaningful. Existing methods may add more error or noise than isnecessary or optimal to provide differential privacy protection (i.e.,ensuring the privacy goal be met).

SUMMARY

Techniques are provided for protecting the privacy of datasetsresponsive to linear queries on histograms. A database containingprivate data is queried. Base decomposition is performed to recursivelycompute an orthonormal basis for the database space. Using correlated(or Gaussian) noise and/or least squares estimation, an answer havingdifferential privacy is generated and provided in response to the query.

In some implementations, the differential privacy is ε-differentialprivacy (pure differential privacy). In some implementations, thedifferential privacy is (ε, δ)-differential privacy (i.e., approximatedifferential privacy).

In some implementations, the data in the database may be dense. Suchimplementations may use correlated noise without using least squaresestimation. In other implementations, the data in the database may besparse. Such implementations may use least squares estimation with orwithout using correlated noise, depending on the implementation.

This summary is provided to introduce a selection of concepts in asimplified form that is further described below in the detaileddescription. This summary is not intended to identify key features oressential features of the claimed subject matter, nor is it intended tobe used to limit the scope of the claimed subject matter.

BRIEF DESCRIPTION OF THE DRAWINGS

The foregoing summary, as well as the following detailed description ofillustrative embodiments, is better understood when read in conjunctionwith the appended drawings. For the purpose of illustrating theembodiments, there is shown in the drawings example constructions of theembodiments; however, the embodiments are not limited to the specificmethods and instrumentalities disclosed. In the drawings:

FIG. 1 is an illustration of an exemplary environment for protecting theprivacy of datasets;

FIG. 2 is an illustration of an example privacy protector;

FIG. 3 is an operational flow of an implementation of a method that maybe used in providing differential privacy to an answer to a query;

FIG. 4 is an operational flow of an implementation of a method forproviding differential privacy in the case of a dense database;

FIG. 5 is an operational flow of an implementation of a method forproviding differential privacy in the case of a sparse database; and

FIG. 6 shows an exemplary computing environment in which exampleembodiments and aspects may be implemented.

DETAILED DESCRIPTION

Differential privacy is a privacy definition that has become thestandard notion of privacy in statistical databases. Informally, amechanism (a randomized function on databases) satisfies differentialprivacy if the distribution of the outcome of the mechanism does notchange noticeably when one individual's input to the database ischanged. Privacy is measured by how small this change is: anε-differentially private mechanism M satisfiesPr[M(x)∈S]≦exp(ε)Pr[M(x′)∈S] for any pair x, x′ of neighboringdatabases, and for any measurable subset S of the range. A relaxation ofthis definition is approximate differential privacy. A mechanism M is(ε, δ)-differentially private if Pr[M(x)∈S]≦exp(ε)Pr[M(x′)∈S]+δ with x,x′, S as before. Here, δ is thought of as negligible in the size of thedatabase. Both these definitions satisfy properties such ascomposability, and are resistant to post-processing of the output of themechanism.

In recent years, research has shown that this strong privacy definitionstill allows for very accurate analyses of statistical databases. At thesame time, answering a large number of adversarially chosen queriesaccurately is inherently impossible with any semblance of privacy. Thus,there is an inherent trade-off between privacy and accuracy whenanswering a large number of queries. This trade-off is contemplatedherein in the context of counting queries and more generally linearqueries over histograms.

FIG. 1 is an illustration of an exemplary environment 100 for protectingthe privacy of datasets such as data in one or more databases. Theenvironment 100 may include a dataset provider 130, a privacy protector160, and a client device 110. The client device 110, dataset provider130, and the privacy protector 160 may be configured to communicatethrough a network 120. The network 120 may be a variety of network typesincluding the public switched telephone network (PSTN), a cellulartelephone network, and a packet switched network (e.g., the Internet).While only one client device 110, dataset provider 130, and privacyprotector 160 are shown, it is for illustrative purposes only; there isno limit to the number of client devices 110, dataset providers 130, andprivacy protectors 160 that may be supported by the environment 100.

In some implementations, the client device 110 may include a desktoppersonal computer, workstation, laptop, PDA, smart phone, cell phone, orany WAP-enabled device or any other computing device capable ofinterfacing directly or indirectly with the network 120, such as thecomputing device 600 described with respect to FIG. 6. The client device110 may run an HTTP client, e.g., a browsing program, such as MICROSOFTINTERNET EXPLORER or other browser, or a WAP-enabled browser in the caseof a cell phone, PDA or other wireless device, or the like.

The dataset provider 130 may generate a dataset 135. The dataset 135 maybe in a database format, for example, and comprise a collection of dataand may include data related to a variety of topics including but notlimited to healthcare, finance, retail, and social networking. Thedataset 135 may have a plurality of rows and each row may have a numberof values or columns. The number of values associated with each row inthe dataset 135 is referred to as the dimension of the dataset 135.Thus, for example, a row with twenty columns has a dimension of twenty.

In some implementations, depending on the type of dataset 135, each rowof the dataset 135 may correspond to a user, and each value maycorrespond to an attribute of the user. For example, where the dataset135 is healthcare data, there may be a row for each user associated withthe dataset 135 and the values of the row may include height, weight,sex, and blood type.

As may be appreciated, publishing or providing the dataset 135 by thedataset provider 130 may raise privacy issues, as would publishing orproviding a query answer based on the dataset. Even where personalinformation such as name or social security number have been removedfrom the dataset 135, malicious users may still be able to identifyusers based on the dataset 135 or answers obtained from the dataset 135,or through combination with other information such as information foundon the internet or from other datasets.

Accordingly, the privacy protector 160 may receive the dataset 135 and aquery 115 and may generate an answer 165 with privacy using the dataset135 and the query 115. The answer 165 may then be published or providedto the client device 110 (e.g., that provided the query). The answer 165generated by the privacy protector 160 may provide one or more privacyguarantees. The desired privacy guarantee(s) may be received from a useror administrator, for example.

As described further with respect to FIG. 2, in implementations, theprivacy protector 160 may provide the privacy guarantees using efficientnearly optimal algorithms for approximate privacy in the cases of densedatabases and sparse databases.

In an implementation, the dataset 135 may comprise a database thatcontains n people in a universe of size N (i.e., the number of types ofpeople is denoted N). A histogram of the database is denoted x. Thehistogram x is a vector in R^(N), with x_(i) denoting the number ofpeople of type i in the database, and R^(N) denoting the set of allpossible databases. The mapping from people to types may be applicationspecific, depending on the implementation.

More particularly, a database is given by a multiset of database rows,one for each individual (i.e., private data may be modeled as a databaseD of n rows, where each row of database D contains information about anindividual). Formally, a database D is a multiset of size n of elementsof the universe N={t₁, . . . , t_(N)} of possible user types (i.e., Ndenotes the size of the universe that the rows come from, and n denotesthe number of individuals in the database). The database can berepresented as its histogram x∈R^(N) with x_(i) denoting the number ofoccurrences of the i-th element of the universe. The algorithms hereintake as input a histogram x∈R^(N) of the database D, where the i-thcomponent x_(i) of x encodes the number of individuals in D of typet_(i). Thus, x would be a vector of non-negative integers with ∥x∥₁=n.Therefore, in this histogram representation, ∥x∥₁=n when D is a databaseof size n. Also, two neighboring databases D and D′ that differ in thepresence or absence of a single individual correspond to two histogramsx and x′ satisfying ∥x−x′∥₁=1. As described further herein, accurateanswers may be obtained for a given set of d linear queries over thishistogram x. This set of queries can be represented by a matrixA∈R^(dxN) with the vector Ax∈R^(d) giving the correct answers to thequeries. When A∈{0,1}^(dxN), such queries are referred to as countingqueries.

In other words, a histogram vector is a N-dimensional vector whichcounts the number of users of each type. The queries are specified by ad*N matrix A, and the query result is the vector Ax. The matrix A is ad*N matrix corresponding to d linear questions about the vector x. Thecorrect answer to this set of d queries is given by the vector Ax. Thedefinition of differential privacy and its error metric is well known tothose of skill in the art.

In an implementation, nearly minimal error (in terms of the mean squarederror) is added to the query results while guaranteeing (ε,δ)-differential privacy regardless of the number of people n in thedatabase. This noise distribution is a correlated Gaussian and dependson the query matrix A, and can often add a lot less noise than the worstcase bound of approximately √{square root over (n)} noise per query.This implementation has error close to the best possible. As describedfurther herein, the matrix A is decomposed into smaller components viathe minimum volume enclosing ellipsoid of the symmetric convex hull ofthe column vectors of A.

Approximate differential privacy (i.e., (ε, δ)-differential privacy) maybe defined as follows. A (randomized algorithm) M with input domainR^(N) and output range Y is (ε, δ)-differentially private if for everyn, every x,x′ with ∥x−x′∥₁=1, and every S⊂Y, M satisfiesPr[M(x)∈S]≦exp(ε)Pr[M(x′)∈S]+δ.

The (ε, δ)-differential privacy guarantee provides that a malicious useror third-party researcher who knows all of the attribute values of thedataset 135 but one attribute for one user, cannot infer with confidencethe value of the attribute from the information published by thealgorithm (i.e., the answer 165).

In some implementations (e.g., when δ=0), the privacy protector 160 mayguarantee a stricter form of privacy protection called ε-differentialprivacy (or pure differential privacy). In ε-differential privacy, the δparameter is set to zero. A basic property of differential privacy isthat the privacy guarantees degrade smoothly under composition and arenot affected by post-processing. Other privacy guarantees may also besupported, such as privacy guarantees related to comparing posteriorprobabilities with prior probability, or guarantees related toanonymity.

FIG. 2 is an illustration of an example privacy protector 160. As shown,the privacy protector 160 includes one or more components including ananswer generation engine 205, a base decomposition engine 210, acorrelated noise engine 220, and a least squares estimation engine 230.More or fewer components may be supported. The privacy protector 160,and its various components including the engines 205, 210, 220, 230 maybe implemented using a general purpose computing device including thecomputing device 600.

In accordance with the implementations herein, efficient nearly optimalalgorithms for approximate privacy in the cases of dense databases(n>d/ε, using the correlated noise engine 220 for example) and sparsedatabases (n=o(d/ε), using the least squares estimation engine 230 forexample) are provided. Implementations use the base decomposition engine210 to recursively compute an orthonormal basis for Rd, based on theminimum volume enclosing ellipsoid (MEE) or approximate MEE of thecolumns of the query matrix A.

In an implementation, a query 115 and the dataset 135 are provided tothe privacy protector 160. The answer generation engine 205, using knowntechniques for example, determines the correct answer to the query. Atthis point, the correct answer does not contain differential privacy anddoes not have noise added to it. Depending on the implementation,differential privacy is subsequently provided to the correct answer bythe base decomposition engine 210, the correlated noise engine 220,and/or the least squares estimation engine 230.

In an implementation, the base decomposition engine 210 may use a basedecomposition technique (an example is shown below as Algorithm 1) tocompute the orthonormal basis for R^(d), which may then be used by thecorrelated noise engine 220 and/or the least squares estimation engine230.

Algorithm 1 Base Decomposition   Input A = (a_(i))_(i=1) ^(N) ε R^(d×n)(rankA = d);     Compute E = FB₂ ^(d), the minimum volume enclosingellipsoid     of K = AB;     Let (u_(i))_(i=1) ^(d) be the (left)singular vectors of F corresponding to singular values σ₁ ≧ ... ≧ σ_(d);    if d=1 then       Output U₁=u₁.     else       LetU₁=(u_(i))_(i>d/2) and V=(u_(i))_(i≦d/2);       Recursively compute abase decomposition V₂,... V_(k) of V^(T)A (k ≦ ┌1+log d┐ is the depth ofthe recursion);       For each i>1, let U_(i)=VV_(i);       Output{U₁,... U_(k)}.     end if.

Algorithm 1, given a matrix A∈R^(dXN), computes a set of orthonormalmatrices U₁, . . . , U_(k), where k≧┌1+log d┐. For each i≈j, U_(i)^(T)U_(j)=0, and the union of columns U₁, . . . , U_(k) forms anorthonormal basis for R^(d). Thus, Algorithm 1 computes a basis forR^(d), and partitions (“decomposes”) it into k=O(log d) bases ofmutually orthogonal subspaces. This set of bases also induces adecomposition of A into A=A₁+ . . . +A_(k), where A_(i)=U_(i)U_(i)^(T)A.

The base decomposition of Algorithm 1 may be used in both the dense caseand sparse case following techniques and implementations describedfurther herein. Intuitively, for both cases it can be shown that theerror of a mechanism applied to A_(i) can be matched by an error lowerbound for A_(i+1)+ . . . +A_(k). The error lower bounds are based on thespectral lower bound on discrepancy; the geometric properties of theminimum enclosing ellipsoid of a convex body together with the knownrestricted invertibility principle of Bourgain and Tzafriri may be usedin deriving the lower bounds.

In an implementation, the correlated noise engine 220 may use atechnique (an example is shown below as Algorithm 2) whose expectederror matches the spectral lower bound up to polylogarithmic factors andis therefore nearly optimal. The technique adds correlated unbiasedGaussian noise to the exact answer Ax. The noise distribution iscomputed based on the decomposition algorithm above (Algorithm 1). Anexample of Algorithm 2 is given as:

Algorithm 2 Gaussian Noise Mechanism Input (Public): query matrix A =(a_(i))_(i=1) ^(N) ∈ R^(d×n) (rankA = d); Input (Private): database x ∈R^(N)  Let U₁, . . . , U_(k) be base decomposition computed by Algorithm1 on  input A, where U_(i) is an orthonormal basis for a space dimensiond_(i);  ${{Let}\mspace{14mu} {c\left( {ɛ,\delta} \right)}} = \frac{1 + \sqrt{2{\ln \left( \frac{1}{\delta} \right)}}}{ɛ}$ For each i, let r_(i) = max_(j=1) ^(N)∥U_(i) ^(T)A_(j)∥₂  For each i,sample w_(i) ^(~)N(0, c(ε, δ))^(d) ^(i)  ${{Output}\mspace{14mu} {Ax}} + {\sqrt{k}{\sum\limits_{i = 1}^{k}{r_{i}U_{i}w_{i}}}}$

The output of Algorithm 2 satisfies (ε, δ)-differential privacy.

In an implementation, a sequence of minimum volume enclosing ellipsoidsand projections is computed by the correlated noise engine 220, which isonly dependent on the query, not on the data. For each projection, thecorrelated noise engine 220 (alone or in conjunction with the answergeneration engine 205, depending on the implementation) determines thecorrect answer, and then adds Gaussian noise to the answer. Answers tothe original query 115 may be constructed using the answers toprojections.

More particularly, in an implementation, look at the convex body K=AB₁^(N), i.e., the image of the unit I₁ ball under the linear map A. B₁^(N) is the I₁ ball of radius 1 in R^(N) (this is the set of points x inR^(N) such that |x|₁ (defined as Σ|x_(i)|) is at most 1). This is asymmetric convex body in d dimensions. First compute E, the minimumvolume ellipsoid that encloses K (also known as the John ellipsoid ofK).

Next look at the axes of this ellipsoid E and look at their lengthsσ₁≦σ₂≧ . . . ≧σ_(N) in decreasing order. Suppose that the correspondingaxes are v₁, . . . v_(N). Let V be the subspace spanned by the axes v₁,. . . v_(n), and let W be the complementary subspace. Let K_(V), K_(W),and E_(V), E_(W) denote the projections of K and E to V and W,respectively.

Let y=Ax denote the true answer to the query and let y_(V) and y_(W)denote its projection to V and W, respectively. Next compute y′_(V) andy′_(W): the projection of y′ on V and W, respectively (as describedfurther below). The noisy answer y′ is equal to y′, +y′_(W).

y′_(V) is defined by adding multidimensional Gaussian noise to y_(V)according to the distribution defined by a scaled version of E_(V). Moreprecisely, add noise proportional to

$\frac{1 + \sqrt{2\; {\ln \left( \frac{1}{\delta} \right)}}}{ɛ}{times}\mspace{14mu} \sigma_{i}$

along the i-th axis v_(i) of E, for 1≦l≦n.

y′_(W) is defined by adding Gaussian noise to each coordinate of y_(W),of magnitude

$\frac{1 + \sqrt{2\; {\ln \left( \frac{1}{\delta} \right)}}}{ɛ}{times}\mspace{14mu} \sigma_{n + 1}$

and then using least squares projection to find the closest vector innK_(W) to the resulting noisy answer. This closest vector in nK_(W) isdefined as y′_(W).

This gives an (ε,δ) differentially private mechanism which has error atmost a polylog(d,n,N) times the optimal. Polylog(d,n,N) denotes somefunction which is bounded by some polynomial of log d, log n, and log N.

When a (ε,0) differentially private mechanism is desired, change theprocedure to get y′_(V) and y′_(W). y′_(V) can be obtained using thewell known generalized K-norm mechanism (e.g., Moritz Hardt and KunalTalwar) according to the body K_(V). y′_(W) can be obtained by firstrunning the generalized K-norm mechanism according to the body K_(W),and then using least-squares projection to find the closest vector innK_(W) to the noisy answer returned by generalized K-norm.

In another implementation, one can replace the exact minimum enclosingellipsoid by an approximate one. As long as the approximation is goodenough, the optimality can still be guaranteed.

In another implementation, which can be used alone or in conjunctionwith other implementations described herein, noise is reduced when thehistogram x is known to be sparse (e.g., when number of people n in thedatabase D is small). In this denoising implementation, the data analyst(or the curator, user, or administrator, for example) applies the leastsquares estimation (e.g., via the least squares estimation engine 230)on the noisy answer, to fit the noisy histogram to an answer that isconsistent with the histogram having total weight n=|x|₁ (i.e.,n=Σ|x_(i)|) where x_(i) is the number of people of type i, and n is thenumber of people in the database. It can be shown that even amongstmechanisms whose error is a function of the sparsity n, the correlatedGaussian noise coupled with least squares estimation leads to a nearoptimal mechanism. This denoising implementation reduces error and canbe used with any differentially private mechanism, including thosedescribed herein.

In an implementation, the least squares estimation engine 230 may use atechnique (an example is shown below as Algorithm 3) with strongeraccuracy guarantees than Algorithm 2. It may be used for any querymatrix A and any database size bound n. The technique combines the noisedistribution of Algorithm 2 with a least squares estimation step.Privacy is guaranteed by noise addition, while the least squaresestimation step reduces the error significantly when n=o(d/ε). Anexample of Algorithm 3 is given as:

Algorithm 3 Least Squares Mechanism   Input (Public): query matrix A =(a_(i))_(i=1) ^(N) ε R^(d×n) (rankA = d); database size bound n;   Input(Private): database x ε R^(N)     Let U₁, ..., U_(k) be basedecomposition computed by Algorithm 1 on input A, where U_(i) is anorthonormal basis for a space dimension d_(i);     Let t be the largestinteger such that d_(t) ≧ εn;     Let X = Σ_(i=1) ^(t) U_(i) and Y =Σ_(i=t+1) ^(k) U_(i);     Call Algorithm 2 to compute {tilde over (y)} =M_(g) (A, x);     Let {tilde over (y)}₁ = XX^(T) {tilde over (y)} and{tilde over (y)}₂ = YY^(T){tilde over (y)};     Let ŷ₁ = arg min{||{tilde over (y)}₁ − ŷ₁||₂ ²: ŷ₁ ε nXX^(T)K}, where K=AB₁;     Outputŷ₁ + {tilde over (y)}₂.

The output of Algorithm 3 satisfies (ε,δ)-differential privacy.

More particularly, the least squares estimation engine may take ananswer, such as the first noisy answer y′ and find a y″ such that y″=Ax″for some x″ with Σ_(i)|x″_(i)| being at most n, and |y′−y″|₂ being assmall as possible amongst all such y″. This operation is referred to asleast squares estimation where the nearest point to y′ in the convexbody nAB₁ ^(N) is determined. Various algorithms are known to solve thisleast squares estimation problem efficiently, such as Algorithm 3 above.It can be shown that y″ is much closer to y than y′, and this impliesthat the noise added to an average coordinate is only √{square root over(n)} polylog(d,N).

In an implementation, a least squares projection to the image of theI_(o) ball of radius n may be used, instead of the I₁ ball as above (anI_(o) ball of radius n is the set of points x in R^(N) that have at mostn non-zero coordinates). This may give better utility guarantee, at thecost of a more computationally intensive projection step.

It is contemplated that when the query A is a counting query or hasentries in [−1,1], one can use spherical Gaussian noise (which isindependent of the query) along with least squares to achieve the bestpossible bounds.

It is noted that in some settings n itself may not be public. This maybe handled, for example, by publishing a noisy version of n by addingLaplacian noise to the true n.

FIG. 3 is an operational flow of an implementation of a method 300 thatmay be used in providing differential privacy to a dataset. A dataset isreceived at 310. The dataset 135 may be received by the privacyprotector 160 from a dataset provider 130. The dataset 135 may comprisea database, or be retrieved from a database or other storage or memory,and may be a private dataset or a public dataset and may include aplurality of rows and each row may have a plurality of values orcolumns. The number of values in each row of the dataset 135 correspondsto the dimension of the dataset 135.

At 320, a query 115, in the form of a query matrix such as a linearquery or histogram, is received at the privacy protector 160. The query115 may be received from a client device 110, for example.

At 330, a base decomposition engine 210 of the privacy protector 160performs base decomposition using the dataset 135 and the query 115, asdescribed above. In this manner, a set of orthonormal matrices isdetermined, and an orthonormal basis for the database space isrecursively computed.

Using the results of the base decomposition, an answer 165 havingdifferential privacy is generated at 340. The answer 165 withdifferential privacy may be generated using a correlated noise engine220 and/or a least squares estimation engine 230 and their associatedtechniques as described above, for example.

At 350, the answer 165 having differential privacy is provided, e.g., bythe privacy protector 160 to the client device 110. Alternatively oradditionally, the answer 165 having differential privacy may bepublished so that it may be downloaded by interested third-partyresearchers or users.

FIG. 4 is an operational flow of an implementation of a method 400 forproviding differential privacy in the case of a dense database. Themethod 400 may be implemented by a correlated noise engine 220. At 410and 420 respectively, a dataset 135 and a query 115 are received by theprivacy protector 160. These operations are similar to those describedabove with respect to 310 and 320, and their descriptions are omittedfor brevity.

At 430, the results of the base decomposition technique (e.g., from 330)are received at the correlated noise engine 220 from the basedecomposition engine 210. A sequence of John ellipsoids and projectionsare computed at 440, using techniques such as those detailed above(e.g., with respect to FIGS. 1 and 2). It is noted that the sequence ofJohn ellipsoids and projections is dependent on the query, and not onthe data.

At 450, for each projection, a correct answer is determined by thecorrelated noise engine 220. The correct answer is the actual answerthat does not yet have any privacy or noise added to it. At 460, foreach correct answer, the correlated noise engine 220 adds Gaussian noiseto it to obtain an answer 165 having differential privacy. As detailedabove, the correct answer y=Ax is obtained, and independent Gaussiannoise is added to each coordinate of y of standard deviation (√{squareroot over (d)} log(1^(δ)))/ε to get a noisy answer y′. This processguarantees that releasing y′ does not compromise the privacy of anyindividual in the database: formally, this guarantees (ε,δ) differentialprivacy. Additional details of these operations are provided above(e.g., with respect to FIGS. 1 and 2).

At 470, similar to 350, the answer 165 having differential privacy isprovided, e.g., by the privacy protector 160 to the client device 110and/or is published.

FIG. 5 is an operational flow of an implementation of a method 500 forproviding differential privacy in the case of a sparse database. Themethod 500 may be implemented by a least squares estimation engine 230.

At 510 and 520 respectively, a dataset 135 and a query 115 are receivedby the privacy protector 160. These operations are similar to thosedescribed above with respect to 310 and 320, and their descriptions areomitted for brevity.

At 530, the results of the base decomposition technique (e.g., from 330)are received at the least squares estimation engine 230 from the basedecomposition engine 210. At 540, a noise distribution technique (e.g.,of the method 400) may be performed to obtain a noisy answer.

At 550, a least squares estimation technique (such as described abovewith respect to FIGS. 1 and 2) is performed on the noisy answer. Theresults of the least squares estimation technique may be provided (e.g.,to the client device 110) as an answer having differential privacy(e.g., an answer 165).

FIG. 6 shows an exemplary computing environment in which exampleembodiments and aspects may be implemented. The computing systemenvironment is only one example of a suitable computing environment andis not intended to suggest any limitation as to the scope of use orfunctionality.

Numerous other general purpose or special purpose computing systemenvironments or configurations may be used. Examples of well knowncomputing systems, environments, and/or configurations that may besuitable for use include, but are not limited to, personal computers(PCs), server computers, handheld or laptop devices, multiprocessorsystems, microprocessor-based systems, network personal computers,minicomputers, mainframe computers, embedded systems, distributedcomputing environments that include any of the above systems or devices,and the like.

Computer-executable instructions, such as program modules, beingexecuted by a computer may be used. Generally, program modules includeroutines, programs, objects, components, data structures, etc. thatperform particular tasks or implement particular abstract data types.Distributed computing environments may be used where tasks are performedby remote processing devices that are linked through a communicationsnetwork or other data transmission medium. In a distributed computingenvironment, program modules and other data may be located in both localand remote computer storage media including memory storage devices.

With reference to FIG. 6, an exemplary system for implementing aspectsdescribed herein includes a computing device, such as computing device600. In its most basic configuration, computing device 600 typicallyincludes at least one processing unit 602 and memory 604. Depending onthe exact configuration and type of computing device, memory 604 may bevolatile (such as random access memory (RAM)), non-volatile (such asread-only memory (ROM), flash memory, etc.), or some combination of thetwo. This most basic configuration is illustrated in FIG. 6 by dashedline 606.

Computing device 600 may have additional features/functionality. Forexample, computing device 600 may include additional storage (removableand/or non-removable) including, but not limited to, magnetic or opticaldisks or tape. Such additional storage is illustrated in FIG. 6 byremovable storage 608 and non-removable storage 610.

Computing device 600 typically includes a variety of computer readablemedia. Computer readable media can be any available media that can beaccessed by device 600 and includes both volatile and non-volatilemedia, removable and non-removable media.

Computer storage media include volatile and non-volatile, and removableand non-removable media implemented in any method or technology forstorage of information such as computer readable instructions, datastructures, program modules or other data. Memory 604, removable storage608, and non-removable storage 610 are all examples of computer storagemedia. Computer storage media include, but are not limited to, RAM, ROM,electrically erasable program read-only memory (EEPROM), flash memory orother memory technology, CD-ROM, digital versatile disks (DVD) or otheroptical storage, magnetic cassettes, magnetic tape, magnetic diskstorage or other magnetic storage devices, or any other medium which canbe used to store the desired information and which can be accessed bycomputing device 600. Any such computer storage media may be part ofcomputing device 600.

Computing device 600 may contain communication connection(s) 612 thatallow the device to communicate with other devices. Computing device 600may also have input device(s) 614 such as a keyboard, mouse, pen, voiceinput device, touch input device, etc. Output device(s) 616 such as adisplay, speakers, printer, etc. may also be included. All these devicesare well known in the art and need not be discussed at length here.

It should be understood that the various techniques described herein maybe implemented in connection with hardware or software or, whereappropriate, with a combination of both. Thus, the methods and apparatusof the presently disclosed subject matter, or certain aspects orportions thereof, may take the form of program code (i.e., instructions)embodied in tangible media, such as floppy diskettes, CD-ROMs, harddrives, or any other machine-readable storage medium where, when theprogram code is loaded into and executed by a machine, such as acomputer, the machine becomes an apparatus for practicing the presentlydisclosed subject matter.

Although exemplary implementations may refer to utilizing aspects of thepresently disclosed subject matter in the context of one or morestand-alone computer systems, the subject matter is not so limited, butrather may be implemented in connection with any computing environment,such as a network or distributed computing environment. Still further,aspects of the presently disclosed subject matter may be implemented inor across a plurality of processing chips or devices, and storage maysimilarly be effected across a plurality of devices. Such devices mightinclude personal computers, network servers, and handheld devices, forexample.

Although the subject matter has been described in language specific tostructural features and/or methodological acts, it is to be understoodthat the subject matter defined in the appended claims is notnecessarily limited to the specific features or acts described above.Rather, the specific features and acts described above are disclosed asexample forms of implementing the claims.

What is claimed:
 1. A method comprising: receiving a dataset by acomputing device; receiving a query by the computing device; performingbase decomposition using the dataset and the query to generate anorthonormal basis, by the computing device; generating an answer to thequery; adding noise to the answer, by the computing device, using atleast one of correlated noise and least squares estimation; andproviding the answer with noise by the computing device.
 2. The methodof claim 1, wherein the dataset comprises a database.
 3. The method ofclaim 1, wherein the query is a histogram.
 4. The method of claim 1,wherein the query is a query matrix.
 5. The method of claim 4, whereinperforming the base decomposition comprises determining a set oforthonormal matrices and recursively computing an orthonormal basis forthe dataset, based on a minimum volume enclosing ellipsoid of columns ofthe query matrix.
 6. The method of claim 1, wherein adding noise to theanswer using at least one of correlated noise and least squaresestimation, comprises using the correlated noise to add noise to theanswer, wherein using the correlated noise comprises: computing asequence of John ellipsoids and projections based on the query;determining a correct answer for each of the projections; addingGaussian noise to each correct answer according to the correspondingJohn ellipsoid; and combining the answers from at least two of theprojections.
 7. The method of claim 1, wherein adding noise to theanswer using at least one of correlated noise and least squaresestimation, comprises using the least squares estimation to add noise tothe answer, wherein using the least squares estimation comprises:receiving a noisy answer; and performing the least squares estimation onthe noisy answer to generate the answer with noise.
 8. The method ofclaim 7, wherein the noisy answer is generated using correlated noise.9. The method of claim 1, further comprising determining whether thedataset is dense or sparse, and adding noise to the answer usingcorrelated noise if the dataset is dense, and adding noise to the answerusing least squares estimation if the dataset is sparse.
 10. The methodof claim 1, further comprising generating the noise based on a privacyguarantee.
 11. The method of claim 10, wherein the privacy guaranteecomprises ε-differential privacy or (ε,δ)-differential privacy.
 12. Amethod comprising: receiving a linear query at a computing device;determining an answer to the linear query, by the computing device;adding privacy to the answer, by the computing device, using at leastone of correlated noise and least squares estimation; and providing theanswer with privacy by the computing device.
 13. The method of claim 12,wherein the privacy comprises ε-differential privacy or(ε,δ)-differential privacy.
 14. The method of claim 12, whereindetermining the answer to the linear query uses a database, wherein thedatabase is dense or sparse.
 15. The method of claim 14, wherein addingprivacy to the answer comprises using correlated noise if the databaseis dense, and using least squares estimation if the database is sparse.16. The method of claim 14, further comprising, prior to adding privacyto the answer, performing base decomposition using the database and thelinear query to generate an orthonormal basis, wherein the orthonormalbasis is used by the correlated noise and least squares estimation. 17.A system comprising: a dataset provider that provides a dataset; and aprivacy protector that: receives the dataset from the dataset provider,and receives a query; determines whether the dataset is dense or sparse;generates an answer to the query using the dataset and whether thedataset is dense or sparse, wherein the answer has differential privacy;and provides the answer with differential privacy to a client device.18. The system of claim 17, wherein the privacy protector performs basedecomposition using the dataset and the query to generate an orthonormalbasis, and uses the orthonormal basis in determining the differentialprivacy.
 19. The system of claim 17, wherein the privacy protectorprovides the differential privacy to the answer using at least one ofcorrelated noise and least squares estimation.
 20. The system of claim17, wherein the privacy protector provides the differential privacy tothe answer using correlated noise if the dataset is dense, and providesthe differential privacy to the answer using least squares estimation ifthe dataset is sparse.